Vincenzo Ciaglia
08/04/04, 22:35
=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
************************************************** *************************=
*********
Netwosix Linux Security Advisory #2004-0010 <http://www.netwosix.org>
=2D -----------------------------------------------------------------------=
=2D-----------
Package name: util-linux
Summary: leak problem in util-linux
Date: 2004-04-08
Affected versions: Netwosix 1.0
Netwosix 1.1
************************************************** *************************=
*********
=2D - -> Package description:
=2D - ------------------------
Util-linux is a suite of essential utilities for any Linux system. Its prim=
ary=20
audience is system integrators and DIY Linux hackers. Util-linux is=20
attempting to be portable, but the only platform it has been tested much on=
=20
is Linux i386. It contains the following programs: agetty arch blockdev cal=
=20
cfdisk chfn chkdupexe chsh clear col colcrt colrm column ctrlaltdel cytune=
=20
ddate dmesg elvtune fastboot fasthalt fdformat fdisk fsck.cramfs fsck.minix=
=20
getopt halt hexdump hwclock initctl ipcrm ipcs isosize kill last line logge=
r=20
login look mcookie mesg mkfs mkfs.bfs mkfs.cramfs mkfs.minix mkswap more=20
mount namei need passwd pg pivot_root ramsize raw rdev readprofile reboot=20
rename renice rescuept reset rev rootflags script setfdprm setsid setterm=20
sfdisk shutdown simpleinit sln swapoff swapon tunelp ul umount vidmode vipw=
=20
wall whereis write.
=2D - -> Problem description:
=2D - ------------------------
The login program in util-linux 2.11 and earlier uses a pointer after it ha=
s=20
been freed and reallocated, which could cause login to leak sensitive data.
=2D - -> Action:
=2D - ------------------------
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
=2D - -> Location:
=2D - ---------------------
You can download the latest version of this package in NEPOTE format from:
<http://download.netwosix.org/0010/nepote>
=2D - -> Nepote Update:
=2D - ---------------------
See this instructions to update the port of this package:
# cd /usr/ports/
# wget http://download.netwosix.org/0010/nepote
# sh nepote (to install the new and updated package)
=2D - -> References
=2D - ---------------------
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0080
=2D - -> About Linux Netwosix:
=2D - ---------------------------------
Linux Netwosix is a powerful and optimized Linux distribution for servers
and Network Security related jobs. It can also be used for special operati=
ons
such as penetration testing with its big collection of security oriented
software and sources. It's a light distribution created for the requirements
of every SysAdmin and it's very portable and highly configurable. Our
philosophy is to give greater liberty for configuration to the SysAdmin.
Only in this way can he/she configure a powerful and stable server machine.
Linux Netwosix also has a powerful ports system (Nepote) similar to the xBSD
systems but more flexible and usable.
=2D - -> Questions?
=2D - ---------------------
Check out our mailing lists:
<http://www.netwosix.org/mailing.html>
The advisory itself is available at
<http://www.netwosix.org/adv10.html>
=2D - --------------------------------------------------
MD5sums of the packages:
=2D - - -------------------------------------------------------------------=
=2D------
84c67bd30dc89ed9462b4ef3afbf9496 0008/nepote
=2D - - -------------------------------------------------------------------=
=2D------
Vincenzo Ciaglia - Linux Netwosix Security Advisories
<ciaglia@netwosix.org> - <http://www.netwosix.org>
=2D --=20
Vincenzo Ciaglia
Linux Netwosix Team - [ Keyid: 0x6BB3E24A]
Key fingerprint =3D 4B3E A25F 2A7A 0C19 1A97 616B EA3C FDA4 6BB3 E24A
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAdYGZ6jz9pGuz4koRAi3eAJ9dwrwRXt3WmoxyHkOUrs ODOnG7SwCgtD9i
mShi8ZgbUYixscUQxHwHdLE=3D
=3DeZly
=2D----END PGP SIGNATURE-----
Hash: SHA1
************************************************** *************************=
*********
Netwosix Linux Security Advisory #2004-0010 <http://www.netwosix.org>
=2D -----------------------------------------------------------------------=
=2D-----------
Package name: util-linux
Summary: leak problem in util-linux
Date: 2004-04-08
Affected versions: Netwosix 1.0
Netwosix 1.1
************************************************** *************************=
*********
=2D - -> Package description:
=2D - ------------------------
Util-linux is a suite of essential utilities for any Linux system. Its prim=
ary=20
audience is system integrators and DIY Linux hackers. Util-linux is=20
attempting to be portable, but the only platform it has been tested much on=
=20
is Linux i386. It contains the following programs: agetty arch blockdev cal=
=20
cfdisk chfn chkdupexe chsh clear col colcrt colrm column ctrlaltdel cytune=
=20
ddate dmesg elvtune fastboot fasthalt fdformat fdisk fsck.cramfs fsck.minix=
=20
getopt halt hexdump hwclock initctl ipcrm ipcs isosize kill last line logge=
r=20
login look mcookie mesg mkfs mkfs.bfs mkfs.cramfs mkfs.minix mkswap more=20
mount namei need passwd pg pivot_root ramsize raw rdev readprofile reboot=20
rename renice rescuept reset rev rootflags script setfdprm setsid setterm=20
sfdisk shutdown simpleinit sln swapoff swapon tunelp ul umount vidmode vipw=
=20
wall whereis write.
=2D - -> Problem description:
=2D - ------------------------
The login program in util-linux 2.11 and earlier uses a pointer after it ha=
s=20
been freed and reallocated, which could cause login to leak sensitive data.
=2D - -> Action:
=2D - ------------------------
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
=2D - -> Location:
=2D - ---------------------
You can download the latest version of this package in NEPOTE format from:
<http://download.netwosix.org/0010/nepote>
=2D - -> Nepote Update:
=2D - ---------------------
See this instructions to update the port of this package:
# cd /usr/ports/
# wget http://download.netwosix.org/0010/nepote
# sh nepote (to install the new and updated package)
=2D - -> References
=2D - ---------------------
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0080
=2D - -> About Linux Netwosix:
=2D - ---------------------------------
Linux Netwosix is a powerful and optimized Linux distribution for servers
and Network Security related jobs. It can also be used for special operati=
ons
such as penetration testing with its big collection of security oriented
software and sources. It's a light distribution created for the requirements
of every SysAdmin and it's very portable and highly configurable. Our
philosophy is to give greater liberty for configuration to the SysAdmin.
Only in this way can he/she configure a powerful and stable server machine.
Linux Netwosix also has a powerful ports system (Nepote) similar to the xBSD
systems but more flexible and usable.
=2D - -> Questions?
=2D - ---------------------
Check out our mailing lists:
<http://www.netwosix.org/mailing.html>
The advisory itself is available at
<http://www.netwosix.org/adv10.html>
=2D - --------------------------------------------------
MD5sums of the packages:
=2D - - -------------------------------------------------------------------=
=2D------
84c67bd30dc89ed9462b4ef3afbf9496 0008/nepote
=2D - - -------------------------------------------------------------------=
=2D------
Vincenzo Ciaglia - Linux Netwosix Security Advisories
<ciaglia@netwosix.org> - <http://www.netwosix.org>
=2D --=20
Vincenzo Ciaglia
Linux Netwosix Team - [ Keyid: 0x6BB3E24A]
Key fingerprint =3D 4B3E A25F 2A7A 0C19 1A97 616B EA3C FDA4 6BB3 E24A
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAdYGZ6jz9pGuz4koRAi3eAJ9dwrwRXt3WmoxyHkOUrs ODOnG7SwCgtD9i
mShi8ZgbUYixscUQxHwHdLE=3D
=3DeZly
=2D----END PGP SIGNATURE-----